US11206135B2ActiveUtilityA1

Forward secrecy in Transport Layer Security (TLS) using ephemeral keys

76
Assignee: IBMPriority: Nov 11, 2019Filed: Nov 11, 2019Granted: Dec 21, 2021
Est. expiryNov 11, 2039(~13.3 yrs left)· nominal 20-yr term from priority
H04L 63/166H04L 63/062H04L 63/0428H04L 9/3265H04L 9/3247H04L 9/302H04L 9/14H04L 9/0891H04L 9/0825H04L 9/0861H04L 63/0823H04L 9/3073
76
PatentIndex Score
2
Cited by
11
References
18
Claims

Abstract

Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.

Claims

exact text as granted — not AI-modified
Having described the subject matter, what we claim is as follows: 
     
       1. A method of preventing compromise of a set of derived session keys for a Transport Layer Security (TLS)-based link between a client and a server, the server having a public key pair comprising a server public key, and an associated server private key, comprising:
 at the server:
 responsive to receipt of a request to establish a new session, obtaining a server ephemeral key pair comprising an ephemeral public key, and an associated ephemeral private key; 
 generating a temporary certificate by signing the ephemeral public key using the server private key; 
 outputting to the client a certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate that includes the server public key; 
 receiving a message from the client, the message having been generated by the client applying the ephemeral public key of the server to a session key derived for the new session; and 
 recovering the session key derived for the new session by applying the ephemeral private key of the server to the message to complete establishment of the new session; 
 
 wherein compromise of a key associated with establishment of the new session does not compromise one or more other derived session keys of the set. 
 
     
     
       2. The method as described in  claim 1  further including generating a pool of ephemeral key pairs prior to receipt of the request, the ephemeral key pair being retrieved from the pool. 
     
     
       3. The method as described in  claim 1  wherein the ephemeral key pair is discarded and not re-used following closing of the new session. 
     
     
       4. The method as described in  claim 1  wherein the server certificate serves as a subordinate Certificate Authority. 
     
     
       5. The method as described in  claim 1  wherein each of the key pairs is a Rivest-Shamir-Adelman (RSA) key pair. 
     
     
       6. The method as described in  claim 1  wherein the server ephemeral key pair is generated randomly. 
     
     
       7. An apparatus configured as a server, comprising:
 a processor; 
 computer memory holding computer program instructions executed by the processor, the computer program instructions comprising program code configured to prevent compromise of a set of derived session keys for a Transport Layer Security (TLS)-based link between a client and the server, the server having a public key pair comprising a server public key, and an associated server private key, the program code configured at the server to:
 responsive to receipt of a request to establish a new session, obtain a server ephemeral key pair comprising an ephemeral public key, and an associated ephemeral private key; 
 generate a temporary certificate by signing the ephemeral public key using the server private key; 
 output to the client a certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate that includes the server public key; 
 receive a message from the client, the message having been generated by the client applying the ephemeral public key of the server to a session key derived for the new session; and 
 recover the session key derived for the new session by applying the ephemeral private key of the server to the message to complete establishment of the new session; 
 
 wherein compromise of a key associated with establishment of the new session does not compromise one or more other derived session keys of the set. 
 
     
     
       8. The apparatus as described in  claim 7  wherein the program code is further configured to generate a pool of ephemeral key pairs prior to receipt of the request, the ephemeral key pair being retrieved from the pool. 
     
     
       9. The apparatus as described in  claim 7  wherein the program code is further configured to discard the server ephemeral key pair and prevent its reuse after the new session is closed. 
     
     
       10. The apparatus as described in  claim 7  wherein the server certificate serves as a subordinate Certificate Authority. 
     
     
       11. The apparatus as described in  claim 7  wherein each of the key pairs is a Rivest-Shamir-Adelman (RSA) key pair. 
     
     
       12. The apparatus as described in  claim 7  wherein the program code is configured to generate the server ephemeral key pair randomly. 
     
     
       13. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system to prevent compromise of a set of derived session keys for a Transport Layer Security (TLS)-based link between a client and a server, the server corresponding to the data processing system and having a public key pair comprising a server public key, and an associated server private key, the computer program instructions comprising program code configured at the server to:
 responsive to receipt of a request to establish a new session, obtain a server ephemeral key pair comprising an ephemeral public key, and an associated ephemeral private key; 
 generate a temporary certificate by signing the ephemeral public key using the server private key; 
 output to the client a certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate that includes the server public key; 
 receive a message from the client, the message having been generated by the client applying the ephemeral public key of the server to a session key derived for the new session; and 
 recover the session key derived for the new session by applying the ephemeral private key of the server to the message to complete establishment of the new session; 
 wherein compromise of a key associated with establishment of the new session does not compromise one or more other derived session keys of the set. 
 
     
     
       14. The computer program product as described in  claim 13  wherein the program code is further configured to generate a pool of ephemeral key pairs prior to receipt of the request, the ephemeral key pair being retrieved from the pool. 
     
     
       15. The computer program product as described in  claim 13  wherein the program code is further configured to discard the server ephemeral key pair and prevent its reuse after the new session is closed. 
     
     
       16. The computer program product as described in  claim 13  wherein the server certificate serves as a subordinate Certificate Authority. 
     
     
       17. The computer program product as described in  claim 13  wherein each of the key pairs is a Rivest-Shamir-Adelman (RSA) key pair. 
     
     
       18. The computer program product as described in  claim 17  wherein the program code is configured to generate the server ephemeral key pair randomly.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.